List of Auditing Reports in OIM

Overview of Operational Reports :

The following sections describe the default operational reports in Oracle Identity Manager. These reports can be used by Oracle Identity Manager Administrators and auditors for operational and compliance purposes.

Table lists the operational reports available in the Administrative and User Console.

List of Operational Reports

Name	Description
Entitlements Summary	Lists the number of users for each status type within each resource.
Policy List	Displays a snapshot of all policies defined within the system.
Delegated Administrators By Organization	Lists all the delegated administrator user groups for organizations.
Attestation Requests by Reviewer	Lists attestation requests by reviewer.
Approval Status By Approver	Provides a summary of all approval tasks.
User Resource Access	Lists the access rights to resources for selected users.
Resource Access List	Lists all users who have access to a selected resource.
Policy Detail	Lists complete details about specific policies defined within the system.
Group Membership Profile	Lists the number of users in different numbers of groups.
OIM Password Expiration	Lists users whose Oracle Identity Manager passwords are about to expire.
Group Membership	Provides a snapshot of users in each group.
Resource Password Expiration	Lists users whose resource passwords are about to expire (as determined by Oracle Identity Manager).
Organization Structure	Lists the hierarchical organization structure and user memberships.
Requests Initiated	Lists all requests initiated in a specified time interval.
Requests Details By Status	Returns details of all requests with a specified status.
Attestation Process List	Provides a snapshot of all defined attestation processes.
Attestation Requests by Process	Lists attestation requests by process.
Attestation Request Detail	Lists complete details of selected attestation requests.
Financially Significant Resources	Lists complete details of financially significant resources.
Delegated Administrators & Permissions By Organization	Lists all administrator user groups and permissions for organizations.
Delegated Administrators & Permissions By Resource	Lists all administrator user groups and permissions for resources.
Delegated Administrators By Resource	Lists all administrator and authorizer user groups for resources.

Overview of Historical Reports :

The following sections describe the historical data reports in Oracle Identity Manager. These reports can be used by administrators and auditors for compliance and auditing purposes.

Table lists the historical reports that are available in the Administrative and User Console.

Table List of Historical Reports

Name	Description
User Resource Access History	Returns the history of a user's resource access.
Resource Access List History	Returns a history of all users who have had access to a selected resource.
User Profile History	Returns the history of a user's profile.
User Membership History	Returns the history of a user's memberships in a user group.
Group Membership History	Returns the history of a group's memberships.
Resource Activity	Returns the history of all provisioning and approval activities for a resource.
Task Assignment History	Returns the history of all task assignment based on the tasks.
Password Reset Success Failure	Returns the password change metrics for Oracle Identity Manager users.
Account Activity In Resource	Lists all account activities in each resource.
Rogue Accounts By Resource	Lists all the rogue accounts in each resource. Note: This report is available only if the exception reporting feature is enabled. For more information.
Fine Grained Entitlement Exceptions By Resource	Lists all fine-grained entitlement exceptions associated with a resource. Note: This report is available only if the exception reporting feature is enabled. For more information, see Chapter 5, "Oracle Identity Manager Reporting
Users Created	Lists all users created in a specified time interval.
Users Deleted	Lists all users deleted in a specified time interval.
Users Disabled	Lists all users disabled in a specified time interval.
Users Unlocked	Lists all users (accounts) unlocked in a specified time interval.

Script for starting OIM/JBoss as a windows service

You can use this in conjunction with JavaService.exe to launch OIM's JBoss as a service (http://forge.objectweb.org/projects/javaservice/).You need to update this with your proper environment settings.

@echo off

SETLOCAL

set JAVA_HOME=C:\j2sdk1.4.2_14
set JBOSS_HOME=C:\jboss-4.0.3SP1
set OIM_HOME=c:\oracle\xellerate
set NAME=OIMService
set JVMOPTIONS=-DXL.HomeDir=C:\oracle\xellerate -Djava.awt.headless=true

SET javaservice=%OIM_HOME%\bin\JavaService.exe
SET logdir=%OIM_HOME%\logs
SET jbossjar=%JBOSS_HOME%\bin\run.jar
SET toolsjar=%JAVA_HOME%\lib\tools.jar
SET jvmdll=%JAVA_HOME%\jre\bin\server\jvm.dll
SET svcmode=-auto
SET description=Oracle Identity Manager
SET dependsopt=

"%javaservice%" -install %NAME% "%jvmdll%" -Djava.class.path="%jbossjar%;%toolsjar%" %JVMOPTIONS% -Xms128M -Xmx512M -start org.jboss.Main -stop org.jboss.Main -method systemExit -out "%logdir%\service_out.log" -err "%logdir%\service_err.log" -current "%JBOSS_HOME%\bin" %dependopt% %svcmode% -overwrite -startup 6 -description "%description%"

ENDLOCAL

@pause

Delete related to OIM Users

OIM do not allow for the deletion of users for reporting and auditing reasons. In
addition, the data model is very complex and the USR entries are involved in
almost every table in some fashion which makes it very dangerous to simply
remove the users from USR table resulting in unintended consequences and
negating the validity of any development or testing.

However, we can mark the users as deleted and then reuse the user IDs. Or, we can change the userid for the users you no longer need to indicate that they are no longer valid if we do not want to enable userid reuse.

If some one want to create a clean database ,he would create a new database, install OIM against it, and then migrate the connectors and integrations to the new OIM server using the Deployment Manager.

STEPS


In the manage users screen of the Administrative Console we can delete a full page of users
by:
- clicking on the "Delete" checkbox in the top row of the table to select the delete option for all of the users in the page
- and then clicking on the "Delete" button at the bottom of the page.

By default the page will only display 10 users at a time but the number of rows displayed can be changed to
as high as 50 rows by changing the "global.displayrecordNum.value" in the
xlDefaultAdmin.properties file.
To reuse UserIDs:
- Open the Design Console
- Goto the Administration - System Configuration form
- Search for the Keyword "XL.UserIDReuse" and set the value to TRUE

This will allow you to reuse the UserIDs of deleted users.

Customization Related to Redirect in OIM

This summary is not available. Please click here to view the post.

Include a Link Below in OIM on left panel

Menu link is retrieved from the database through the menu items created from design console
example:
(Form Information screen):
Class Name: My Menu.Menu 1
Description: My Menu Menu 1
Type: menuitem
- On the UI, the menus are grouped and the names globalized from the corresponding entries in xlWebAdmin.properties file
menuGroup.My-Menu=My Menu
menuItem.My-Menu.Menu-1=Menu 1


- /pages will have a new jsp page added with a 'tiles:insert' definition code for the entry
example: (/pages/SamplePage.jsp)
<%@ taglib uri="/WEB-INF/tld/struts-tiles.tld" prefix="tiles" %>
- tiles-defs.xml will have an entry with the definition name, referring to the definition code defined in the /pages jsp code
- The 'title' can have a code with a corresponding entry in the xlWebAdmin.properties file. This will be the title shown on the web page title bar
- The 'body' will refer to a jsp page to be created in the /tiles folder
example:
In tiles-defs.xml:






In xlWebAdmin.properties:
samplepage.title.showpage=Sample Page Title - A new jsp to be added to /tiles folder with the name used in the tiles-defs.xml entry
example: /tiles/SamplePageTiles.jsp
- struts-config.xml file will have two entries:
- one for form bean in the section, that will have the bean properties required to store data for the logic in the new functionality to be added.
example:
type="com.thortech.xl.webclient.actions.SampleForm" /> - one for the action class in the section, that is used for performing all the java logic before forwarding to a jsp page with the display contents.
example:
type="com.thortech.xl.webclient.actions.SampleAction"
validate="false"
input="/pages/SamplePage.jsp"
scope="session"
path="/sample"
parameter="method">



- In the xlDefaultAdmin.properties file put an entry that will be used to forward to the corresponding method in the java class:
- menuItem.My-Menu.Menu-1.link=sample.do?methodCode

- In the xlWebAdmin.properties file put the entry with the value as the one defined after '?' in previous step:
- sample.message.selection.method1=methodCode
- In the custom action class have the struts documented standard method getKeyMethodMap() with the following content:
Map methodMap = super.getKeyMethodMap(); methodMap.put("sample.message.selection.method1", "method1");
- Define the method with the name as 'method1()' and put the logic and the forward in that.

How We Can Make User ID field Non-Required On Create User Form

1.Edit FormMetaData.xml from \xellerate\config directory

2. Change optional attribute value "false to "true" under section in FormMetaData.xml.
Here < > are there for Form name and Attribute Reference
Form name="3"
!-- User ID --
AttributeReference editable="true" optional="true">-16 /AttributeReference

3. Save FormMetaData.xml and Restart the Application Server.

Oracle identity manager Customized Strong Random Password Generation

To compile the adapter, the following steps must be executed:

1. Create a work folder, let's say c:\work and inside create the following structure:
c:\work\com\oracle\events\
2. Create a java file in c:\work\com\oracle\events\ named tcGenerateRandomPassword .java
3. Copy the source code provided in this document to the java file.

Here is the code,

package com.oracle.events;

import java.util.Random;
import com.thortech.xl.dataobj.tcDataSet;
import com.thortech.xl.util.logging.LoggerMessages;
import com.thortech.xl.util.logging.LoggerModules;
import com.thortech.util.logging.Logger;

public class tcGenerateRandomPassword extends com.thortech.xl.client.events.tcBaseEvent {
private static Logger logger = Logger.getLogger(LoggerModules.XL_JAVA_CLIENT);

public static int DEFAULT_PASSWORD_LENGTH=8;
public static char[] Special_Character = {'!','@','#','$','%','^','&','*','(',')' };


public tcGenerateRandomPassword() {
setEventName("Generating a random password for a User.");
}

protected void implementation() throws Exception {
if (getDataObject().isDeleting()) {
return;
}
if (getDataObject().isUpdating()) {
return;
}
String randomPassword = getRandomPassword();

getDataObject().setString("usr_password",randomPassword);
return;
}

public static char getSpecialCharacter(){
Random rand = new Random();
int randInt = rand.nextInt(10);
return Special_Character[randInt];
}

public static String getRandomPassword(int n) {
if(n <=8 ){ n=DEFAULT_PASSWORD_LENGTH; } char[] pw = new char[n]; int c = 'A'; int r1 = 0; int i=0; String tempString = new String(); while(i< n){ r1 = (int)(Math.random() * 4); l1: switch(r1) { case 0: c = '0' + (int)(Math.random() * 10); break l1; case 1: c = 'a' + (int)(Math.random() * 26); break l1; case 2: c = 'A' + (int)(Math.random() * 26); break l1; case 3: c = getSpecialCharacter(); break; } char c1 = (char)c; boolean isExisting = false; l2: for(int j=0; j < i; j++){ if(c1 == pw[j]){ isExisting = true; break l2; } } if(!isExisting){ pw[i] = (char)c; i++; } } return new String(pw); } } 4. In c:\work create a file named compile.bat with the following contents: set OIM_LIBS=D:\oracle\oimserver\xellerate\lib set CLASSPATH=%OIM_LIBS%\xlLogger.jar;%OIM_LIBS%\xlDataObjects.jar;%OIM_LIBS%\xlVO.jar;%OIM_LIBS%\xlUtils.jar javac -classpath %CLASSPATH% com\oracle\events\tcGenerateRandomPassword .java jar cf tcGenerateRandomPassword.jar * 5. Run compile.bat and check for any compilation errors. 6. At this point a JAR file named loginuseridgenern.jar will be created in c:\work folder. Running the Code: To add the new created event handler to OIM server, perform the following steps: 1. Copy the file tcGenerateRandomPassword.jar from c:\work to OIM_HOME\xellerate\EventHandlers 2. Open Design Console and navigate to: Development Tools -> Business Rule Definition -> Event Handler Manager
***Follow the remaining steps as in Oracle identity manager customized userid for strong random password generation like
OUTPUT :fb(1W6O72dtq

If any questions,please post it

Oracle Identity Manager User Id customization

OIM User Id Customization :

To compile the adapter, the following steps must be executed:

1. Create a work folder, let's say c:\work and inside create the following structure:
c:\work\com\oracle\events\
2. Create a java file in c:\work\com\oracle\events\ named loginuseridgenern.java
3. Copy the source code provided in this document to the java file.
package com.oracle.events;

import java.util.Random;

import java.io.*;

import com.thortech.xl.dataobj.tcDataSet;

import com.thortech.xl.util.logging.LoggerMessages;

import com.thortech.xl.util.logging.LoggerModules;

import com.thortech.util.logging.Logger;



public class loginuseridgenern extends com.thortech.xl.client.events.tcBaseEvent {

private static Logger logger = Logger.getLogger(LoggerModules.XL_JAVA_CLIENT);



public loginuseridgenern() {

setEventName("Generating a random userid for a User.");

}



protected void implementation() throws Exception {

if (getDataObject().isDeleting()) {

return;

}

if (getDataObject().isUpdating()) {

return;

}

String generatedLogin= getloginid();



getDataObject().setString("usr_udf_username",generatedLogin);
//or try usr_login instead of usr_udf_username

return;

}



private String getloginid() {

String fl ="";

try{

java.io.FileReader fr = new java.io.FileReader("c:\\Temp\\seq.txt");

BufferedReader br = new BufferedReader(fr);

String str = br.readLine();

fr.close();

//java.io.FileWriter fw = new java.io.FileWriter("c:\\Temp\\aaa.txt");

int aInt=Integer.parseInt(str)+1;

String seq=String.format("%03d",aInt);

String fn=getDataObject().getString("usr_first_name");

String ln=getDataObject().getString("usr_last_name");

//Find Length of ln
int length=ln.length();

/*
* If Length of The LastName is Less Than 6 Characters Then
* Concate complete Last Name with first Character Of First Name
*
*
*/
if(length<6)
{
fl="x_"+fn.substring(0,1)+ln.substring(0,length)+seq;
}
else
{
fl="x_"+fn.substring(0,1)+ln.substring(0,6)+seq;
}


// fw.write("Userid is :" + fl+ seq);

// fw.flush();

// fw.close();

java.io.FileWriter fw1 = new java.io.FileWriter("c:\\Temp\\seq.txt");



String s = ""+aInt;

fw1.write(s);

fw1.flush();

fw1.close();

}catch(Exception ioex){

System.out.println("eror writing file" + ioex.getMessage());

}

return fl;

}

}
4. In c:\work create a file named compile.bat with the following contents:
set OIM_LIBS=D:\oracle\oimserver\xellerate\lib
set CLASSPATH=%OIM_LIBS%\xlLogger.jar;%OIM_LIBS%\xlDataObjects.jar;%OIM_LIBS%\xlVO.jar;%OIM_LIBS%\xlUtils.jar
javac -classpath %CLASSPATH% com\oracle\events\loginuseridgenern.java
jar cf loginuseridgenern.jar *

5. Run compile.bat and check for any compilation errors.

6. At this point a JAR file named loginuseridgenern.jar will be created in c:\work folder.

Running the Code:

To add the new created event handler to OIM server, perform the following steps:

1. Copy the file loginuseridgenern.jar from c:\work to OIM_HOME\xellerate\EventHandlers

2. Open Design Console and navigate to:
Development Tools -> Business Rule Definition -> Event Handler Manager



3. Create a new Event Handler and specify:

Event Handler Name: loginuseridgenern
Package: com.oracle.events
Pre-Insert: Checked





4. Save the event handler

5. Navigate to Development Tools -> Business Rule Definition -> Data Object Manager



6. Search for "Users" and add the event handler to the Pre-Insert list.



7. Click on event handler name and OK.






8. Save.
From now on, all OIM users that will be created will have a userid with First name first alphabet last name first alphabet and a unique sequence number, regardless the given user id in the Administrative Console, or the userid that comes in some cases, in the reconciliation event.


Execution in OIM design Console:

1.Create users




2.Create User Details





3.UserId with First letter of first name, last name and sequence is generated
















4.New User is provisioned to Active Directory

Customizing Oracle Identity manager Logo

Customized OIM Logo

1. Go to Jboss_Home/server/default/deploy/xelleratefull.ear and extract the xelleratefull.ear

2. Take a back up of xelleratefull.ear

3. After the xelleratefull.ear is extracted, a folder is created rename the folder to xelleratefull.ear

4. In the xelleratefull.ear folder, extract the xlWepApp.war and go to images folder and replace the image client _logo.gif and put your new image as client_logo.gif

5. Resart the Jboss and login to Admin console

Generic Technology Connector(GTC)

INTRODUCTION

Using Oracle Identity Manager, custom connector are created which is known as Generic Technology Connector, which is not dependant on API’s which are supported by target systems and the data repository type and schema in which identity data is stored by target systems.

BUSINESS CHALLENGES

Provisioning solution has gained popularity in the IT industry and most companies have successfully deployed Oracle’s Identity Manager for managing provisioning. Most complicated part of deploying a solution is creating the connectors which allow the provisioning system to integrate with the managed target systems. Oracle has many pre-defined connectors for OIM that are designed for target systems such as MS Active Directory. But for applications that are not supported out of the box such as custom Web Services, Generic Technology connectors can be used to integrate Oracle identity Manager and Target Systems. Oracle’s GTC technology focuses on communication with any trusted or target resource using standard protocols such as FTP, SMTP, HTTP and generic message formats such as SPML, WS-SPML, CSV, LDIF.

For example, when a person enters a Organization, his/her information is stored in HR System. In the Organization environment, multiple trusted sources for storing and creating user identities exist. The Identity Management Solution must have the ability to update the same common attributes from different sources depending on changes in the status of a person. When a person shifts to from a company within the same group of companies the authoritative source for Common Attributes may switch from HR system of one company to other company’s HR system.The Generic Technology Connector can be easily re-configured to change its authoritative source correspondingly, so that the employee data in the Identity Management System remains current.

General Architecture Overview of Generic Technology Connector





Features of Generic Technology Connectors

1.A generic technology connector acts as the bridge for reconciliation and provisioning operations between Oracle Identity Manager and a target system.

2.The reconciliation and provisioning modules of a generic technology connector are composed of reusable components that you select. Each component performs a specific function during provisioning or reconciliation.

Features Specific to the Reconciliation Module

1.Trusted Source Reconciliation
2.User Account Status Reconciliation
3.Full and Incremental Reconciliation
4.Batched Reconciliation
5.Reconciliation of Multi valued Attribute Data (Child Data) Deletion
6.Failure Threshold for Stopping Reconciliation

Other Features

The following features are not specific to the reconciliation or provisioning module:
1.Custom Data Fields and Field Mappings
2.Custom Providers
3.Multilanguage Support
4.Custom Date Formats
5.Propagation of Changes in OIM User Attributes to Target Systems

Conclusion

Oracle’s Generic Technology Connector aims at quick and easy design of Custom connectors to systems that are difficult to integrate in a short time. This improves the overall deployment time for a business application, by reducing the effort spent on the user management piece, thus reducing the time-to-market and increase in revenues from the corresponding application.

OIM 9.1.0.1 on JBOSS 4.2.3GA javax.security.auth.login.LoginException: java.lang.NoSuchFieldError

ERROR,11 Feb 2009 15:39:42,453,[XELLERATE.JBOSSLOGINHANDLER],Error in creating l
ogin context
javax.security.auth.login.LoginException: java.lang.NoSuchFieldError: TRACE
at org.jboss.logging.Log4jLoggerPlugin.isTraceEnabled(Log4jLoggerPlugin.
java:85)
at org.jboss.logging.Logger.isTraceEnabled(Logger.java:122)
at org.jboss.security.ClientLoginModule.initialize(ClientLoginModule.jav
a:96)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:1
86)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:6
80)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at Thor.API.Security.LoginHandler.jbossLoginHandler.login(Unknown Source
)
at Thor.API.Security.ClientLoginUtility.login(Unknown Source)
at com.thortech.xl.client.base.tcAppWindow.internalLogin(Unknown Source)

at com.thortech.xl.client.base.tcAppWindow.login(Unknown Source)
at com.thortech.xl.client.base.tcAppWindow.(Unknown Source)
at com.thortech.xl.client.base.tcAppWindow.main(Unknown Source)



Solution:

vBackup the original file log4j-1.2.8.jar in oimclient/xlclient/ext

copy the log4j.jar from JBOSS folder - JBOSS/server/default

Paste the file in client folder with original log4j-1.2.8.jar

Rename log4j.jar file to log4j-1.2.8.jar

start ur JBOSS.. this shd work.

What is Identity Management ?

Identity Management is a discipline which encompasses all of the tasks required to create, manage, and delete user identities in a computing environment.

Let me put it in a simple way,

Imagine an enormous blueprint of an office building. It shows the rooms into which each person who works in the building can enter. The blueprint also shows what kind of key each person would need to open the door to get into that room, and what that person can do once they are there. A computer network is like the building, and each room represents a file, database or application on that network. The employees working in the building are the users. The keys are the privileges that the system administrator hands out to each person who works on the network, providing access to a file, database or application. The keys also determine what they can do while accessing a specific file or application.

Like building security, identity management is the most essential form of information protection that agencies use. Yet, it also is among the information security practices that are least used or properly implemented.

Identity management is more than simply permitting a user to log on; it controls what that user can do, similar to putting boundaries on where a person can go once in a building. A systems administrator assigns a credential of some sort, usually a number, to a worker. That number allows the employee or contractor access to the network and determines what resources can be accessed. It also can flag the administrator (through a monitoring tool) if the user somehow gains access to forbidden areas, or if the user is performing actions that may indicate an attempt to gain entry to prohibited areas.

Requiring a username and password - whether to pass through a firewall, to log on to a virtual private network or to open an application - is identity management in its minimal form. At a more sophisticated level, it incorporates biometrics (such as hand, fingerprint or iris scans) to identify a user, to approve or deny access (known as provisioning and Deprovisioning) to resources, and to deliver custom services (such as training materials and e-mails) based on users' roles in an organization. Identity management provides managers a custom view of the IT environment for each user, determined mostly by job function and security concerns.